I want to be able to use SFTP to edit files that require root permissions.

I'm using SSH Key based authentication - rsa key on smart card.

If the system requires sudo to perform root level commands, How do I get around this?

Can I create a way of bypassing sudo for SFTP only?

Is there a way to keep sudo & key authentication.

I'm using windows to connect to Ubuntu. I need this to work with Mac connecting to Ubuntu as well.

I understand how to do SSH Tunneling to admin the system services. Currently, I use root user login directly, but password login is disabled. I didn't understand how to use sudo and SFTP at same time. It seems to be a best practice to require login as a non-root user and then require use of sudo since the logs will record who was given escalated privileges for each command.

Should I concern myself with this when using Key based authentication or is this a trivial difference in security/logging? It seems like Key based authentication records user's serial number in the logs, and you can have multiple keys for the root user to identify each user. This seems to be the same effect as using sudo to me. Am I wrong?

"It seems to be a best practice to require login as a non-root user and then require use of sudo since the logs will record who was given escalated privileges for each command." - but that's not worth much, because someone who has acquired root privileges can tamper with the logs anyway.
–
Martin von WittichJan 26 '14 at 19:18

Just to note there is one correct answer of sftp -s "sudo /usr/lib/openssh/sftp-server" targethost.fqdn below. If sudo requires password you can whitelist this one particular command for nopasswd.
–
Mikko OhtamaaMay 17 at 20:28

5 Answers
5

SFTP is a command access to file operations, with the restrictions from the account you use. You must use ssh for make more administrative operations, making impossible use sudo and SFTP at same time. If you need access to the entire disk without restriction using SFTP, do it using the root account. Anyway you can make a login with root on sftp and ssh at same time, of course, using two different sessions.

The security keys improve the security and make more easy the logging, not requiring keyboard input. Only helps to make login, you can had several passwords for every account user and had the same effect.

EDIT: I forgot: you can create another account with the same effect than root if you assign the user id to 0, but not had any sense, being dangerous in the same way. Could give some obfuscation if somebody try to login like root, but apart of that, not had much sense.

This would allow another system with the corresponding key to this pair to SFTP into this system as root. You'd still have a record of this connection in your syslog and/or secure.log files (assuming your distro provides this level of logging).

NOTE: Whomever accesses the server in this method would have cartes blanche access, so use it wisely. Better still continue reading and combine this capability with chroot and read only access, to construct tighter restrictions and targeted access to specific locations as root.

chroot & readonly

The other technique you could exploit here would be to limit the SFTP connection so that it was chrooted into specific locations as root, based on which SSH key was used. See my answer to this U&L Q&A titled: "Restrict password-less backup with SFTP" for more details.

You can also control sftp-server through its switches -R and -d.

-d start_directory
specifies an alternate starting directory for users. The pathname
may contain the following tokens that are expanded at runtime: %%
is replaced by a literal '%', %h is replaced by the home directory
of the user being authenticated, and %u is replaced by the user‐
name of that user. The default is to use the user's home
directory. This option is useful in conjunction with the
sshd_config(5) ChrootDirectory option.
-R Places this instance of sftp-server into a read-only mode.
Attempts to open files for writing, as well as other operations
that change the state of the filesystem, will be denied.

Hmm, but limiting the command to sftp-server doesn't make it any safer, does it? If an attacker gains access to this account, he can easily give himself a root shell using SFTP. So the command limitation is pretty useless from the security point of view :)
–
Martin von WittichJan 26 '14 at 22:47

@MartinvonWittich - no not in the example I've included. That was more to show the potential. Without knowing the exact use cases it's difficult to show a real world example. Giving root SFTP access in any form is just trouble, especially when it's not chrooted.
–
slm♦Jan 26 '14 at 23:20

I had a similar problem in that I wanted to use vimdiff to edit configuration files on a group of mostly similar hosts, with cssh and sudo and you may be able to adapt my solution to your workflow.

sudoedit (part of sudo) allows you to use any editor as a regular user to edit a file that you don't have write permission for and you can specify the editor with an environment variable. sudoedit copies the file(s), invokes the editor with the names of the copy(s) and waits for the editor to exit, then copies the modified copy back to where it was. so I created an 'editor' that doesn't edit, just notes the file for later use and waits and a wrapper around vimdiff that uses that marker.

The way I use them is I use cssh to open a connection to all four hosts and then use a command like EDITOR=~/.bin/redit sudoedit /etc/conf/file and then In a different window run ~/.bin/redit1, make my changes, save and exit, switch back to cssh and press enter to commit the changes and exit sudoedit (unless I am editing more than one file in which case redit advances to the next file in the list and you run redit1 again for the next file.)

Since what you are doing is less complicated you don't need redit1 due to only working with one remote host, you can just point your sftp editor at host:.var/redit/host or equivalent.